Providing application visibility for micro-segmentation of a network deployment

Active Publication Date: 2018-06-21
NICIRA
View PDF17 Cites 45 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Benefits of technology

[0008]The flows are then reduced by morphing a large number of flows into smaller groups of related flows. Firewall rules for the smaller groups of flows are then created either automatically or through user interactions. The rules are then presented for review (e.g., by getting approval from a security administrator). The rules are then enforced by publishing the rules into the current firewall rule table.
[0009]Some embodiments provide a method that is used in an environment that hosts a set of applications (e.g., three tiered enterprise applications) and generates a network topolog

Problems solved by technology

Deploying micro-segmentation with appropriate policies, however, is turning out to be a challenging proposition.
Since most enterprise applications are not documented in terms of the intra-application communications, the security teams are not aware of all components that constitute the application, and more importantly the internal communications that actually happens across the application components.
In addition, the application developers that built an original application may have moved on, making authoritative application behavior determination a challenging task.
Other than this port that needs to be opened, th

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Providing application visibility for micro-segmentation of a network deployment
  • Providing application visibility for micro-segmentation of a network deployment
  • Providing application visibility for micro-segmentation of a network deployment

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0044]In the following detailed description of the invention, numerous details, examples, and embodiments of the invention are set forth and described. However, it should be understood that the invention is not limited to the embodiments set forth and that the invention may be practiced without some of the specific details and examples discussed.

[0045]Some embodiments provide a method of defining micro-segmentation or security policies using a zero trust model for new and existing applications in a datacenter. In a zero trust model, a network is divided into small (or micro) segments and security is applied at the boundaries of each micro-segment. The method analyzes packet traffic generated by the virtual machines that implement these applications. The method receives a selection of a set of seed nodes (for instance through a user interface) and performs flow collection, flow analysis and security policies definition for the seeds in parallel.

[0046]Some embodiments perform flow mon...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

A method of creating micro-segmentation policies for a network is provided. The method identifies a set of network nodes as seed nodes. The method monitors network packet traffic flows for the seed nodes to collect traffic flow information. The method identifies a set of related nodes for the set of seed nodes based on the collected network flow information. The method analyzes the collected network flow information to identify micro-segmentation policies for the network.

Description

BACKGROUND[0001]Datacenters or cloud environments have traditionally been secured by emphasizing perimeter protection to keep outside threats from affecting the entities within the network. Security services such as firewall were provided at the perimeter to monitor the north-south traffic (i.e., the traffic exchanged with the outside environment) and detect the outside threats.[0002]In a multi-tenant environment, different host machines host virtual machines (VMs) for different users (or tenants). In some cases, several logically separated workloads (or guest) VMs of different tenants operate on a single host. In such shared environments, security services (as well as other services) must be applied within the datacenter, not only against external threats, but also from threats of other machines within the datacenter or other VMs running on the same host. In some such cases, the services are distributed and enforced throughout the network. For example, a distributed firewall provid...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06H04L29/08H04L12/26
CPCH04L63/205H04L63/0263H04L43/14H04L67/10H04L63/0209H04L41/12H04L67/131H04L41/0894H04L41/0893
Inventor BANSAL, KAUSHALSENGUPTA, ANIRBANMANUGURI, SUBRAHMANYAMKRISHNA, SUNITHAPEREIRA, JERRY
Owner NICIRA
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap